Currently, I have my default landing page as info2.example.com. After many discussions with Marketo support, we decided to replace our SSL certificate for info2 with a SAN cert that will allow use to use multiple secured landing page URLs/sub domains.

I have added a new domain alias for "guide.example.com" and "about.example.com". Where in landing page creation can I make the subdomain one of these new CNAMEs? There is no editable field that lets me change the subdomain. Before I had the SAN cert installed, Marketo suggested I use "guide.example.com" for existing landing pages (ie. use the url "guide.example.com/lp-123" for and existing LP under "info2.example.com/lp-123". This resulted in a warning message saying that "guide" was trying to use "info2" SSL. Now that we have the SAN cert installed, we no longer get that message but "guide.example.com/lp-123" redirects to "info2.example.com/lp-123" which can confuse the user.

So the main questions are:

1. Is it possible to choose which CNAME a lp belongs to if I have domain alias set up?

2. If not possible to choose cname/sub-domain during LP creation, is it possible to keep the CNAME alias as the final URL instead of it being redirected to the default subdomain?

1. Is it possible to choose which CNAME a lp belongs to if I have domain alias set up?

Well, it "belongs" to all your CNAMEs in that it can be accessed via any of your CNAMEs.

However, as you've noticed, when an http → https redirect is necessary, it goes to your primary CNAME (i.e. the "landing page domain").

The most direct way to deal with this is to publish the page's https URL.

Short of that, you can include the original destination host in, for example, the document hash: https://about.example.com/lp.html#about. Then if a user comes in via http://about.example.com by accident and is redirected to the primary domain, you can redirect the user back to https://about.example.com.

As a complement, you can enable HSTS on the parent domain (example.com), but until you get in browsers' built-in HSTS lists there can still be the unwanted redirect. (This is the reason that anyone who isn't on HSTS preload is basically not secure.)